mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
Merge pull request #197 from YunoHost/fix-not-only-alphanumeric-characters-domain-name
[fix] unauthorized redirect url check not matching non-alphanumeric chars in domain name
This commit is contained in:
commit
0ce337e17f
1 changed files with 5 additions and 2 deletions
|
@ -1070,8 +1070,11 @@ function redirect(url)
|
||||||
if not string.starts(url, "/") and not string.starts(url, "http://") and not string.starts(url, "https://") then
|
if not string.starts(url, "/") and not string.starts(url, "http://") and not string.starts(url, "https://") then
|
||||||
url = "https://"..url
|
url = "https://"..url
|
||||||
end
|
end
|
||||||
local domain = url:match("^https?://([%w%.]*)/?")
|
local is_known_domain = false
|
||||||
if string.match(url, "(.*)\n") or (domain ~= nil and not is_in_table(conf["domains"], domain)) then
|
for _, domain in ipairs(conf["domains"]) do
|
||||||
|
is_known_domain = is_known_domain or url:match("^https?://"..domain.."/?") ~= nil
|
||||||
|
end
|
||||||
|
if string.match(url, "(.*)\n") or not is_known_domain then
|
||||||
logger.debug("Unauthorized redirection to "..url)
|
logger.debug("Unauthorized redirection to "..url)
|
||||||
flash("fail", t("redirection_error_invalid_url"))
|
flash("fail", t("redirection_error_invalid_url"))
|
||||||
url = conf.portal_url
|
url = conf.portal_url
|
||||||
|
|
Loading…
Reference in a new issue